State-by-State Cybersecurity Laws and Requirements

The United States lacks a single federal cybersecurity statute governing private-sector obligations, leaving a patchwork of 50 state frameworks that differ substantially in scope, enforcement mechanisms, penalty structures, and covered entity definitions. This page maps the structural landscape of state cybersecurity law across breach notification, data privacy, critical infrastructure protection, and sector-specific mandates. Professionals, compliance officers, and researchers navigating multi-state obligations will find classification boundaries, regulatory drivers, and a comparative reference matrix across key jurisdictions.

Definition and scope

State cybersecurity law encompasses statutory obligations imposed on organizations that collect, store, process, or transmit personal information belonging to residents of a given state. These obligations fall into three primary regulatory categories: breach notification requirements, affirmative data security mandates, and comprehensive consumer privacy rights frameworks.

All 50 U.S. states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted breach notification statutes, making this the most uniformly adopted layer of state cybersecurity regulation (National Conference of State Legislatures, Security Breach Notification Laws). Beyond notification, 23 states have enacted statutes requiring covered entities to implement "reasonable security measures" or their equivalent, though the definition of reasonable varies significantly by jurisdiction.

Comprehensive privacy laws with embedded security obligations — modeled loosely on California's framework — had been enacted by 13 states as of 2024, including California, Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, Florida, and New Hampshire (International Association of Privacy Professionals, U.S. State Privacy Legislation Tracker). The cyber-safety-providers resource provides practitioner-level providers organized by service category for organizations navigating these obligations.

Core mechanics or structure

State cybersecurity frameworks operate through four structural mechanisms that interact across the compliance lifecycle.

1. Breach Notification Triggers
Notification obligations activate when "personal information" — defined by statute — is accessed or acquired without authorization. Definitions of personal information vary: California's Civil Code § 1798.82 covers biometric and health data alongside Social Security numbers, while older statutes in states such as Alabama limit scope to Social Security numbers, financial account numbers, and government-issued ID numbers (Alabama Data Breach Notification Act, Ala. Code § 8-38-1 et seq.).

2. Notification Timelines
Post-discovery notification windows range from 30 days (Florida, Fla. Stat. § 501.171) to 90 days (many states) to "expedient time" without a fixed deadline (a handful of older statutes). New York's SHIELD Act mandates notification "in the most expedient time possible and without unreasonable delay" (N.Y. Gen. Bus. Law § 899-aa).

3. Affirmative Security Programs
States including Massachusetts, New York, and Oregon require covered entities to maintain written information security programs (WISPs). Massachusetts's 201 CMR 17.00 is the most prescriptive, requiring documented risk assessments, employee training, vendor contract controls, and technical safeguards including encryption of personal data transmitted over public networks (201 CMR 17.00, Office of Consumer Affairs and Business Regulation).

4. Regulatory Enforcement
Enforcement authority rests primarily with state attorneys general. Penalty structures vary: Illinois's Biometric Information Privacy Act (BIPA) creates a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional violation (740 ILCS 14/20), producing litigation exposure disproportionate to other state regimes.

Causal relationships or drivers

The fragmented state-level landscape is a direct product of federal legislative inaction. Congress has not enacted a preemptive national data privacy or cybersecurity statute covering the private sector broadly, a gap that has persisted since early proposals including the Consumer Privacy Protection Act of 2017 failed to advance.

States respond to high-profile breach events with accelerated legislative activity. California enacted the California Consumer Privacy Act (CCPA) in 2018 following the Cambridge Analytica disclosures and subsequent public pressure, then strengthened it via the California Privacy Rights Act (CPRA) ballot measure in 2020 (California Privacy Protection Agency, CPRA Overview). New York's SHIELD Act (2019) was a direct response to the 2017 Equifax breach affecting an estimated 147 million consumers (FTC Equifax Data Breach Settlement).

Sector-specific federal frameworks — HIPAA for healthcare, Gramm-Leach-Bliley for financial services, FERPA for education — create partial preemption that further complicates multi-state compliance. An organization operating in healthcare across 12 states must satisfy HIPAA's Security Rule floor while also evaluating whether state laws impose additional obligations not preempted by the federal floor.

Classification boundaries

State cybersecurity statutes sort into four non-overlapping categories based on their operative mechanism:

Breach Notification Statutes — reactive obligations triggered by a qualifying incident. All 50 states plus D.C., Puerto Rico, and the Virgin Islands maintain these.

Affirmative Security Mandate Statutes — proactive obligations requiring a documented security program before any incident occurs. Massachusetts (201 CMR 17.00), New York (SHIELD Act, Part II), and Oregon (ORS § 646A.622) are the primary examples.

Comprehensive Consumer Privacy Laws — omnibus frameworks granting consumer rights (access, deletion, portability, opt-out of sale) alongside security obligations. The 13-state group as of 2024 follows the California/Virginia/Colorado model with variations in applicability thresholds.

Sector-Specific State Laws — statutes targeting a specific industry or data type. Illinois BIPA targets biometric data across all industries. Nevada's SB 220 targets online data brokers. New York's NYDFS Cybersecurity Regulation (23 NYCRR 500) applies to financial services licensees and requires annual certification, penetration testing, and multi-factor authentication (NYDFS 23 NYCRR 500).

The page describes how the broader cybersecurity service sector aligns to these regulatory categories for provider network navigation purposes.

Tradeoffs and tensions

Compliance cost vs. coverage breadth: Omnibus state privacy laws apply to organizations meeting revenue or data-volume thresholds. California's CPRA applies to for-profit businesses meeting at least 1 of 3 thresholds: $25 million in gross annual revenue, buying/selling personal information of 100,000 or more consumers/households annually, or deriving 50% or more of annual revenue from selling personal information (CPRA, Cal. Civ. Code § 1798.140). Smaller organizations below these thresholds avoid omnibus obligations but may still face notification and affirmative security mandates.

Uniformity vs. state sovereignty: Industry coalitions have consistently advocated for a single federal preemptive standard to reduce compliance overhead across 50 jurisdictions. Privacy and consumer advocacy organizations have opposed federal preemption proposals that would lower protections below California's floor, creating a structural impasse in Congress.

Private right of action vs. AG enforcement: States with private rights of action (Illinois, California under CPRA's limited scope) generate substantially higher litigation volume than states where only the attorney general may sue. This asymmetry affects organizational risk modeling disproportionately relative to the underlying statutory text.

Encryption safe harbors: At least 14 states — including California, Florida, Ohio, and Texas — provide that properly encrypted data, when breached, does not trigger notification obligations. The definition of "properly encrypted" is not uniform across those states, creating ambiguity for organizations relying on safe harbor protection.

Common misconceptions

Misconception: Federal law preempts state breach notification requirements.
HIPAA preempts state breach notification only when the state law is "contrary to" and "less stringent than" the federal requirement (45 CFR § 160.203). States may impose more stringent obligations, and HIPAA does not preempt state laws for non-covered entities.

Misconception: Compliance with California's CPRA satisfies multi-state obligations.
California's framework is among the most expansive, but it does not replicate every state's requirements. Illinois BIPA imposes separate biometric-specific obligations. New York's NYDFS 23 NYCRR 500 requires financial licensee certifications not present in CPRA. New Mexico's data broker statute has distinct registration requirements.

Misconception: Only companies headquartered in a state are subject to that state's laws.
All state breach notification and privacy statutes apply based on the residency of affected individuals, not the company's domicile. An organization headquartered in Delaware must comply with California, Texas, and Virginia law if it processes data belonging to residents of those states.

Misconception: Notification timelines begin at the breach event.
All state statutes measure the notification window from discovery of the breach, not from the date the breach occurred. The distinction is operationally significant: a breach that occurred in January but was discovered in March triggers the clock in March.

Checklist or steps (non-advisory)

The following sequence reflects the structural phases of multi-state cybersecurity compliance program development, as documented in frameworks including NIST SP 800-53 (NIST SP 800-53 Rev. 5) and state regulatory guidance.

  1. Inventory personal information flows — document what categories of personal information are collected, stored, processed, and transmitted, and identify the states of residence of affected individuals.
  2. Map applicable statutes — for each state represented in the data inventory, identify which of the four statute categories apply (notification, affirmative security, omnibus privacy, sector-specific).
  3. Identify the most stringent threshold per obligation type — determine which state's definition of "personal information" is broadest, which notification timeline is shortest, and which security program requirements are most prescriptive.
  4. Draft or update a Written Information Security Program (WISP) — document risk assessment methodology, technical controls, administrative controls, and physical safeguards consistent with the most stringent applicable state standard (typically Massachusetts 201 CMR 17.00).
  5. Establish an incident response plan — define detection, containment, investigation, and notification workflows with timeline triggers mapped to the shortest applicable state window (e.g., 30 days for Florida-resident data).
  6. Implement vendor management controls — document data processing agreements with third-party vendors consistent with SHIELD Act, CPRA, and CMMC requirements as applicable.
  7. Train personnel — conduct role-specific training on data handling, incident reporting escalation paths, and phishing recognition consistent with state program requirements.
  8. Schedule periodic re-assessment — align review cycles to the annual certification requirements of NYDFS 23 NYCRR 500 if applicable, or to the biennial review recommendation in NIST Cybersecurity Framework 2.0 (NIST CSF 2.0).

The how-to-use-this-cyber-safety-resource page provides orientation to practitioner service categories verified in the network aligned to these compliance phases.

Reference table or matrix

State Cybersecurity Law Comparison — Selected Jurisdictions

State Breach Notification Deadline Affirmative Security Mandate Omnibus Privacy Law Private Right of Action Key Statute/Regulation
California 72 hours (regulated entities); no fixed limit (others) Yes (implied via CCPA/CPRA) Yes (CPRA, 2023) Limited (data breach only) Cal. Civ. Code § 1798.82; § 1798.100
New York Expedient / without unreasonable delay Yes (SHIELD Act Part II) No (sector-specific only) No (AG enforcement) N.Y. Gen. Bus. Law § 899-aa; 23 NYCRR 500
Texas 60 days No standalone mandate Yes (TDPSA, 2024) No (AG enforcement) Tex. Bus. & Com. Code § 521; HB 4
Florida 30 days No standalone mandate No No (AG enforcement) Fla. Stat. § 501.171
Illinois Expedient / without unreasonable delay No standalone mandate No (BIPA for biometrics) Yes (BIPA — $1,000–$5,000/violation) 815 ILCS 530; 740 ILCS 14
Massachusetts Expedient / without unreasonable delay Yes (201 CMR 17.00) No No (AG enforcement) M.G.L. c. 93H; 201 CMR 17.00
Colorado 30 days (to AG); 30 days (to consumers) No standalone mandate Yes (CPA, 2023) No (AG enforcement) C.R.S. § 6-1-716; CPA § 6-1-1301
Virginia 60 days No standalone mandate Yes (VCDPA, 2023) No (AG enforcement) Va. Code § 18.2-186.6; VCDPA § 59.1-575
Oregon 30 days Yes (ORS § 646A.622) Yes (OCPA, 2024) No (AG enforcement) ORS § 646A.604; § 646A.622
New Mexico 45 days No standalone mandate No No (AG enforcement) N.M. Stat. § 57-12C-1

Note: Deadlines and law status reflect enacted statutes. Organizations should verify effective dates and amendment status against official state legislative databases before relying on this matrix for compliance determinations.

 ·   · 

References

Read Next

Cyber Safety Listings ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Providers The providers contained within... Cyber Safety Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Network: Purpose and Scope The National... US Cybersecurity Regulations and Compliance Framework ANA › Professional Services Authority › National Cyber › National Cyber Safety US Cybersecurity Regulations and Compliance Framework The...